Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed allocation-size-too-big error in H5MM.c #5076

Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

Fixed allocation-size-too-big error in H5MM.c #5076

wants to merge 2 commits into from

Conversation

bmribler
Copy link
Contributor

@bmribler bmribler commented Nov 6, 2024

A decoded length appeared to be corrupted and had a very large value.
This PR added a check to detect such potential data corruption.

The fuzzer file is in the cve_hdf5 repo.

Fixes GH-4431

bmribler and others added 2 commits November 6, 2024 02:58
@bmribler
Fixed allocation-size-too-big error in H5MM.c
99d0d99 
A decoded length appeared to be corrupted and had a very large value.
This PR added a check to detect such potential data corruption.
@github-actions
Committing clang-format changes
565b6de
@bmribler bmribler added Priority - 1. High 🔼 These are important issues that should be resolved in the next release Component - C Library Core C library issues (usually in the src directory) Type - Security Security issues, including library crashers and memory leaks labels Nov 6, 2024
qkoziol
qkoziol requested changes Nov 6, 2024
View reviewed changes
Copy link
Contributor

@qkoziol qkoziol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost certainly, the cache is not the problem.

What kind of entry's "get_load_size" callback is being invoked to create the corrupted length?

@bmribler
Copy link
Contributor Author

bmribler commented Nov 6, 2024
edited
Loading

Almost certainly, the cache is not the problem.

What kind of entry's "get_load_size" callback is being invoked to create the corrupted length?

Thanks, Quincey. H5HL__cache_prefix_get_final_load_size/H5HL__hdr_deserialize:
heap.dblk_size = 18446744073709551392

@qkoziol
Copy link
Contributor

qkoziol commented Nov 6, 2024

OK, so it's in the local heap decode / get size callback. Is there any sanity checking you can do there?

@bmribler
Copy link
Contributor Author

bmribler commented Nov 6, 2024
edited
Loading

OK, so it's in the local heap decode / get size callback. Is there any sanity checking you can do there?

Oh, I think I can do a similar check in H5HL__cache_prefix_get_final_load_size. Right? Or maybe, H5HL__hdr_deserialize, if I have enough info...

@qkoziol
Copy link
Contributor

qkoziol commented Nov 6, 2024

Yes, adding a sensible range check there is good.

@bmribler bmribler marked this pull request as draft November 7, 2024 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qkoziol qkoziol qkoziol requested changes

@lrknox lrknox Awaiting requested review from lrknox lrknox is a code owner

@derobins derobins Awaiting requested review from derobins derobins is a code owner

@byrnHDF byrnHDF Awaiting requested review from byrnHDF byrnHDF is a code owner

@fortnern fortnern Awaiting requested review from fortnern fortnern is a code owner

@jhendersonHDF jhendersonHDF Awaiting requested review from jhendersonHDF jhendersonHDF is a code owner

@vchoi-hdfgroup vchoi-hdfgroup Awaiting requested review from vchoi-hdfgroup vchoi-hdfgroup is a code owner

@glennsong09 glennsong09 Awaiting requested review from glennsong09 glennsong09 is a code owner

@mattjala mattjala Awaiting requested review from mattjala mattjala is a code owner

@brtnfld brtnfld Awaiting requested review from brtnfld brtnfld is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Security Security issues, including library crashers and memory leaks
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allocation-size-too-big error in H5MM.c
2 participants
@bmribler @qkoziol